b"              Audit Report\n\n\n\nThe Social Security Administration\xe2\x80\x99s\n Process to Identify and Monitor the\n   Security of Hardware Devices\n     Connected to its Network\n\n\n\n\n       A-14-13-13050 | October 2013\n\x0cMEMORANDUM\n\n\nDate:      October 1, 2013                                                    Refer To:\n\nTo:        The Commissioner\nFrom:      Inspector General\nSubject:   The Social Security Administration\xe2\x80\x99s Process to Identify and Monitor the Security of Hardware\n           Devices Connected to its Network (A-14-13-13050)\n\n           The attached final report presents the results of our audit. Our objective was to determine\n           whether the Social Security Administration\xe2\x80\x99s process for identifying and monitoring hardware\n           devices connected to its network effectively differentiated unapproved devices and ensured\n           devices were at a reasonable system security level.\n\n           If you wish to discuss the final report, please call me or have your staff contact\n           Steven L. Schaeffer, Assistant Inspector General for Audit, at (410) 965-9700.\n\n\n\n\n                                                           Patrick P. O\xe2\x80\x99Carroll, Jr.\n\n           Attachment\n\x0cThe Social Security Administration\xe2\x80\x99s Process to Identify and\nMonitor the Security of Hardware Devices Connected to its\nNetwork\nA-14-13-13050\nOctober 2013                                                               Office of Audit Report Summary\n\nObjective                                  Our Findings\n\nTo determine whether the Social            While the Agency has a process to identify hardware devices\nSecurity Administration\xe2\x80\x99s (SSA)            connected to its network, we determined the Agency\xe2\x80\x99s inventory\nprocess for identifying and monitoring     was incomplete and inaccurate. Additionally, SSA did not approve\nhardware devices connected to its          all of the hardware devices connected to its network. Moreover,\nnetwork effectively differentiated         although SSA has processes to monitor the security level of\nunapproved devices and ensured             connected devices, these processes were inconsistent with Agency\ndevices were at a reasonable system        policy in effect at the time of our audit.\nsecurity level.\n                                           Our Recommendations\nBackground\n                                           We recommend the Agency:\nSSA\xe2\x80\x99s Fiscal Year 2012 Federal\nInformation Security Management Act        1. Pursue implementing systems, through a risk-based process, to\nof 2002 report stated that its automated      ensure only approved and security-compliant hardware devices\nprocesses identified 276,165 hardware         are connected to its network.\ndevices connected to its network. SSA\nuses automated tools to provide the        2. Revise its policy to document who or which Agency component\nDepartment of Homeland Security               manages each hardware device connected to its network and is\nwith security metrics. The metrics            responsible for adequately securing these devices. The policy\ninclude the number of hardware                should better describe and define roles and responsibilities for\ndevices connected to the network,             monitoring security levels for all hardware devices.\nwhether there are secure configuration\n                                           3. Ensure hardware devices identified in this audit are at a\nbaselines, and the number of certain\n                                              reasonable security level.\nsecurity incidents detected.\n                                           SSA agreed with our recommendations.\nWe selected a sample of hardware\ndevices identified by the Agency\xe2\x80\x99s\nnetwork scanning tool to determine\nwhether SSA approved these devices\nand the devices were operating at a\nreasonable system security level.\n\x0cTABLE OF CONTENTS\nObjective ..........................................................................................................................................1\nBackground ......................................................................................................................................1\nResults of Review ............................................................................................................................2\n     Hardware Device Information Missing in Agency Systems......................................................3\n     Network Scanning Tool Unable to Provide Sufficient Hardware Identification .......................4\n     Not All Hardware Devices Are Approved for Connection to the Network ...............................7\n     Monitoring Process Inconsistent with Policy ............................................................................8\nConclusions ....................................................................................................................................10\nRecommendations ..........................................................................................................................10\nAgency Comments .........................................................................................................................11\nAppendix A \xe2\x80\x93 Scope and Methodology ..................................................................................... A-1\nAppendix B \xe2\x80\x93 Missing Device Identifiers .................................................................................. B-1\nAppendix C \xe2\x80\x93 Glossary of Terms ............................................................................................... C-1\nAppendix D \xe2\x80\x93 Agency Comments .............................................................................................. D-1\nAppendix E \xe2\x80\x93 Major Contributors...............................................................................................E-1\n\n\n\n\nSSA\xe2\x80\x99s Process to Identify and Monitor the Security of Hardware Devices (A-14-13-13050)\n\x0cABBREVIATIONS\nDHS                  Department of Homeland Security\n\nFISMA                Federal Information Security Management Act of 2002\n\nFY                   Fiscal Year\n\nISSH                 Information Systems Security Handbook\n\nNIST                 National Institute of Standards and Technology\n\nOIG                  Office of the Inspector General\n\nOMB                  Office of Management and Budget\n\nSP                   Special Publication\n\nSSA                  Social Security Administration\n\nTSRP                 Telephone System Replacement Project\n\nU.S.C.               United States Code\n\n\n\n\nSSA\xe2\x80\x99s Process to Identify and Monitor the Security of Hardware Devices (A-14-13-13050)\n\x0cOBJECTIVE\nOur objective was to determine whether the Social Security Administration\xe2\x80\x99s (SSA) process for\nidentifying and monitoring hardware devices connected to its network effectively differentiated\nunapproved devices and ensured devices were at a reasonable system security level. 1\n\nBACKGROUND\nEach Federal agency must submit an annual report to the Department of Homeland Security\n(DHS) 2 providing an overview of the adequacy and effectiveness of its information security\npolicies, procedures, practices, and compliance with the Federal Information Security\nManagement Act of 2002 (FISMA) requirements. 3 SSA uses automated tools to provide DHS\nwith security metrics. The metrics 4 include the number of hardware devices connected to the\nnetwork, whether there are secure configuration baselines, and the number of certain security\nincidents detected. OMB includes these metrics, along with those of other Federal agencies, in\nits annual FISMA report to Congress. 5 SSA\xe2\x80\x99s Fiscal Year (FY) 2012 FISMA report 6 stated that\nits automated processes identified 276,165 hardware devices connected to its network, which it\nstated represented 100 percent of the hardware devices connected to its network.\n\nSSA has an automated tool that scans its network and identifies hardware devices. This\ninventory is available at an Agency level. SSA stated that as of January 2013, it had about\n326,000 hardware devices connected to its network. 7\n\n\n\n\n1\n For the purposes of this review, we defined a reasonable system security level to be one where the manufacturer\nsupports the operating system and the device is at a current release.\n2\n  Office of Management and Budget (OMB), M-10-28, Clarifying Cybersecurity Responsibilities and Activities of\nthe Executive Office of the President and the Department of Homeland Security (DHS), July 6, 2010. Among its\nother responsibilities, DHS oversees the Government-wide and agency-specific implementation of, and reporting on,\ncyber-security policies and guidance.\n3\n    Pub. L. No. 107-347, Title III, Section 301 \xc2\xa73544(c)(1), 44 U.S.C. \xc2\xa73544(c)(1).\n4\n    These are a sample of the metrics reported to DHS.\n5\n OMB, Fiscal Year 2012 Report to Congress on the Implementation of the Federal Information Security\nManagement Act of 2002, March 2013.\n6\n    SSA, Chief Information Officer Section Report, 2012 Annual FISMA Report.\n7\n  The Agency\xe2\x80\x99s network scanning tool provided this number and it represents the network addresses connected to\nthe Agency\xe2\x80\x99s network. This does not represent the Agency\xe2\x80\x99s hardware inventory, as there could be multiple\nnetwork addresses for a hardware device; and the network scanning tool cannot enumerate devices that are turned\noff. SSA stated it was replacing desktops and refreshing servers in January 2013. This explains the difference\nbetween what the Agency reported in its FY 2012 FISMA report, and the number they provided in January 2013 for\nthis review.\n\n\n\nSSA\xe2\x80\x99s Process to Identify and Monitor the Security of Hardware Devices (A-14-13-13050)                             1\n\x0cOMB requires that agencies protect Government information commensurate with the risk and\nmagnitude of harm that would result from its loss, misuse, or unauthorized access. 8 Agencies\nmust remain vigilant to defend information systems, especially in a resource-constrained\nenvironment, while balancing system security with operational capability through a\nrisk-management process. 9\n\nTo achieve our objective, we reviewed SSA\xe2\x80\x99s processes for identifying and monitoring hardware\ndevices connected to its network. We categorized the hardware devices based on the operating\nsystem provided by the Agency\xe2\x80\x99s network scanning tool. We selected a sample of hardware\ndevices by the various categories to determine whether SSA approved these devices and the\ndevices were operating at a reasonable system security level. For the purposes of this review, we\ndefined a reasonable system security level to be one where the manufacturer supports the\noperating system and the device is at a current release. For additional scope and methodology,\nsee Appendix A.\n\nRESULTS OF REVIEW\nWhile SSA has a process to identify hardware connected to its network, it needs to improve the\nprocess to comply with Federal requirements. 10 Although SSA stated it identified all hardware\ndevices connected to its network, we determined the Agency\xe2\x80\x99s inventory of hardware devices\nwas incomplete and inaccurate. Additionally, SSA did not approve all of the hardware devices\nconnected to its network. 11\n\nFurther, the Agency\xe2\x80\x99s processes for monitoring 12 reasonable system security levels for hardware\ndevices connected to its network were inconsistent with SSA policy. Additionally, not all\nhardware devices were operating at a reasonable system security level. 13\n\n\n\n\n8\n OMB Circular No. A-130, Revised, (Transmittal Memorandum No. 4), Management of Federal Information\nResources, 8.a.1.(g).\n9\n DHS, FY 2012 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy\nManagement, FISMA 12-02, February 15, 2012.\n10\n  FISMA requires that Federal agencies comply with Federal Information Processing Standards and therefore\nagencies may not waive their use; they are compulsory and binding. National Institute of Standards and Technology\n(NIST), Federal Information Processing Standards Publication 200, Minimum Security Requirements for Federal\nInformation and Information Systems, March 2006 requires agencies meet minimum security requirements through\nthe use of security controls in accordance with NIST Special Publication (SP) 800-53. NIST SP 800-53 includes\nsecurity controls for information system component inventory (CM-8).\n11\n     This represents sampled hardware devices where SSA could not provide acquisition documentation.\n12\n     Monitoring in the context of this review means to ensure the hardware device is at a reasonable security level.\n13\n     See Footnote 1.\n\n\n\nSSA\xe2\x80\x99s Process to Identify and Monitor the Security of Hardware Devices (A-14-13-13050)                                 2\n\x0cHardware Device Information Missing in Agency Systems\nSSA provided a list of hardware devices connected to its network. 14 From this list, we selected\n183 devices to review. We found that for 48 hardware devices, the device specifications, 15\nmachine name, 16 or network address 17 was incomplete. FISMA reporting requires that agencies\nreport the number of hardware devices where SSA collects these details as part of asset\nmanagement. 18 Additionally, Federal standards list these detailed items, along with others, as\ninformation to achieve effective property accountability. 19\n\nFISMA requires that Federal agencies secure information systems that support their operations\nand assets. 20 In doing so, agencies must assess the risk and magnitude of harm resulting from\nunauthorized access. Agencies must know what devices (authorized and unauthorized) are\nconnected to its network so they can secure those devices. In its FY 2012 FISMA report to DHS,\nSSA reported it identified 100 percent of its hardware devices connected to its network. Per\nFY 2012 FISMA reporting guidance, 21 agencies must provide the number of devices for which\nthey were able to collect the (1) network address, (2) machine name, and (3) unique hardware\nnumber or serial number. 22\n\nWe used multiple SSA tools 23 to locate required hardware device information. For\n85 (46 percent) of 183 sampled hardware devices, SSA\xe2\x80\x99s tools provided all required information.\nFor 48 (26 percent) of 183 sampled hardware devices, 1 or more pieces of required information\nwas missing 24 (see Appendix B for details). Further, we removed 50 (27 percent) of\n183 hardware devices from our sample 25 (see Table 1). In addition, after we finished our\nfieldwork, we noted that SSA updated one of its tools to more easily provide the unique\nhardware number.\n\n\n\n14\n     See Footnote 7.\n15\n     Can include serial number or unique hardware number.\n16\n     The name assigned to a hardware device connected to the network.\n17\n     A unique way to identify the location of a hardware device on a network.\n18\n     DHS, FY 2012 Chief Information Officer Federal Information Security Management Act Reporting Metrics, p. 15.\n19\n NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information Systems and\nOrganizations, August 2009, p. F-44, CM-8.\n20\n     Pub. L. No. 107-347, Title III, Section 301 \xc2\xa73544(a)(2), 44 U.S.C. \xc2\xa73544(a)(2).\n21\n     DHS, Supra note 18, p. 15.\n22\n     This is a key FISMA metric, meaning the expected level of performance is adequate security.\n23\n     See Appendix A.\n24\n Some hardware devices, by their nature, may not have one of the required pieces of information. In these cases,\nwe did not count that as missing information for the sample.\n25\n Thirteen sampled hardware devices were no longer connected to the network, and 37 sampled hardware devices\nwere misidentified as described in the next section of the report.\n\n\n\nSSA\xe2\x80\x99s Process to Identify and Monitor the Security of Hardware Devices (A-14-13-13050)                             3\n\x0c                        Table 1 \xe2\x80\x93 Hardware Device Information in SSA\xe2\x80\x99s Systems\n                                                                           Number of       Percent of Total\n             Availability of (1) Computer Network Address,                  Sampled           Sampled\n              (2) Machine Name, and (3) Unique Hardware                    Hardware           Hardware\n                        Number or Serial Number                             Devices            Devices\n            All Information Available                                           85                 46\n            One or More Pieces of Information Missing                           48                 26\n            Removed from Review 26                                              50                 27\n                                    TOTAL                                       183                   99*\n           * Numbers do not add up to 100 due to rounding.\n\nNetwork Scanning Tool Unable to Provide Sufficient Hardware\nIdentification\nThe Agency\xe2\x80\x99s network scanning tool 27 provided incorrect results for 40 (22 percent) of\n183 sampled hardware devices. For example, the Agency\xe2\x80\x99s network scanning tool identified\n37 (20 percent) of 183 sampled hardware devices as Toshiba digital copiers (an Input/Output\nperipheral), but we determined these devices were Telephone System Replacement Project\n(TSRP) 28 equipment. We reclassified the Toshiba digital copiers as TSRP telephones (see\nTable 2). In this instance, the misidentification of hardware equipment is a lower risk to the\nAgency since SSA monitors TSRP telephones but does not monitor Input/Output Peripherals. 29\n\n\n\n\n26\n     Id.\n27\n     This tool uses weighted criteria to identify the operating system of hardware devices connected.\n28\n     TSRP is SSA\xe2\x80\x99s project to implement transport voice traffic (telephone calls) over its network.\n29\n     SSA stated it had not found a commercial tool to monitor Input/Output peripherals.\n\n\n\nSSA\xe2\x80\x99s Process to Identify and Monitor the Security of Hardware Devices (A-14-13-13050)                        4\n\x0c                       Table 2 \xe2\x80\x93 Hardware Devices Connected as of January 2013\n                                                                    Original\n                                                      Original      Percent     New      Percent\n                   Hardware Category30                 Count        of Total    Count    of Total\n              Desktop                                 131,561        40.36     131,561    40.36\n              Input/Output Peripheral                  92,647        28.42      18,032      5.53\n              Network Device                           48,803        14.97      48,803    14.97\n              TSRP Telephone                           17,037          5.23     91,652    28.12\n              Multi-Platform                           14,327          4.40     14,327      4.40\n              Server                                   11,154          3.42     11,154      3.42\n              [Unknown]                                 4,940          1.52      4,940      1.52\n              Appliance                                 3,097          0.95      3,097      0.95\n              Storage Device                            1,050          0.32      1,050      0.32\n              Video Device                                571          0.18        571      0.18\n              Virtual Machine                             561          0.17        561      0.17\n              Server/iSeries                              172          0.05        172      0.05\n              Uninterruptable Power Supply                 58          0.02         58      0.02\n              Private Branch Exchange                       3          0.00          3      0.00\n                           TOTAL                      325,981                  325,981     100*\n            * Numbers do not add up to 100 due to rounding.\n\nAs of January 2013, SSA had 4,940 hardware devices that were not associated with an operating\nsystem and were reported as \xe2\x80\x9cunknown\xe2\x80\x9d (see Table 2). When the Agency\xe2\x80\x99s network scanning\ntool cannot identify an operating system, it classifies the system as \xe2\x80\x9cunknown.\xe2\x80\x9d This represented\nabout 1.5 percent of all hardware devices connected to the Agency\xe2\x80\x99s network as of January 2013.\nIn its FY 2012 FISMA report, 31 SSA stated that it could track the installed operating system\nvendor, product, version, and patch-level combination(s) in use on the hardware devices. 32\n\nWe sampled 50 hardware devices categorized as unknown. Using SSA tools, 33 we determined\nthat 17 (34 percent) of 50 sampled hardware devices were used in the TSRP implementation, and\n10 (20 percent) of 50 were network devices. However, for 18 (36 percent) of 50 devices, we\nobtained some details about the operating system but not enough to identify the device. Finally,\n5 (10 percent) of 50 unknown devices were no longer connected to SSA\xe2\x80\x99s network (see Table 3).\n\n\n\n30\n     Descriptions of the hardware categories are located in Appendix C.\n31\n     SSA, Supra, note 6.\n32\n     DHS, Supra, note18, p. 16, question 2.4.\n33\n     See Appendix A.\n\n\n\nSSA\xe2\x80\x99s Process to Identify and Monitor the Security of Hardware Devices (A-14-13-13050)              5\n\x0c                                   Table 3 - Unknown Hardware Devices\n                                                                     Number of           Percent of\n                                                                      Sampled          Total Sampled\n                                                                     Hardware            Hardware\n                            Identification Status                     Devices             Devices\n              Identified as TSRP Devices                                 17                   34\n              Identified as Network Devices                              10                   20\n              Unable to Identify and Locate Device                       18                   36\n              Device no Longer Connected to Network                       5                   10\n                                  TOTAL                                    50                 100\n\nBecause cyber-security is an important factor for agencies to provide essential services to\ncitizens, in FY 2011 the Administration identified continuous monitoring 34 as one of three\nFISMA priorities. 35 Furthermore, DHS affirmed that asset management was one of the first areas\nwhere continuous monitoring needed to be developed. Agencies must know which hardware\ndevices are connected before they can manage the devices for vulnerabilities. 36\n\nAccording to FY 2012 FISMA 37 reporting requirements, agencies must provide DHS the number\nof hardware devices connected to their respective networks where a computer-generated report\nprovides Agency-level inventory information. 38 An accurate and current inventory, controlled by\ntools that scan network addresses managing configuration, can reduce the chance of attackers\nfinding unauthorized and unprotected systems to exploit. To identify weaknesses, agencies rely\non their ability to correctly identify the operating system of hardware devices. If the Agency\ncannot correctly identify the hardware devices connected to its network, it is unable to manage\nthe necessary security controls. 39 However, the Agency uses layers of security \xe2\x80\x93 such as\nintrusion detection systems and system monitoring \xe2\x80\x93 to identify indicators of potential issues\nbefore they occur.\n\nIn January 2012, SSA developed a Cyber Security Engineering Strategy, 40 in which it stated the\nAgency plans to improve its ability to secure hardware devices by addressing \xe2\x80\x9c. . . audit findings\nin the area of network access controls to eliminate the ability for an unknown hardware device to\n\n\n34\n  Continuous monitoring is a technique to address the security impacts on an information system resulting from\nchanges to the hardware, software, firmware, or operational environment.\n35\n     DHS, Supra, note18, p. 5.\n36\n     Id. at p. 17.\n37\n     Id. at p. 15.\n38\n  This control was selected as one of the highest impact controls for government-wide application based on input\nfrom multiple cyber security experts, who considered public, private, and intelligence threat information.\n39\n     DHS, Supra, note18, p. 17.\n40\n     SSA, Cyber Security Engineering Strategy, January 2012, p. 7.\n\n\n\nSSA\xe2\x80\x99s Process to Identify and Monitor the Security of Hardware Devices (A-14-13-13050)                             6\n\x0cattach to SSA's network.\xe2\x80\x9d During our review period, SSA provided a presentation 41 in which it\nstated it is \xe2\x80\x9c. . . investigating the feasibility of implemented [sic] a Network Access Control\nSolution\xe2\x80\x9d to mitigate network access control findings. According to the Agency, \xe2\x80\x9c. . . this\nsolution will verify all systems meet SSA configuration requirements prior to being permitted to\naccess production network resources.\xe2\x80\x9d We believe the Agency should pursue implementing\nsystems, through a risk-based process, to ensure only approved and security-compliant hardware\ndevices are connected to its network.\n\nNot All Hardware Devices Are Approved for Connection to the\nNetwork\nWe reviewed a sample of 162 hardware devices to determine whether SSA approved them to be\nconnected to its network. 42 We found that SSA had not approved all of the devices we reviewed.\nPer SSA\xe2\x80\x99s Information Systems Security Handbook (ISSH), 43 hardware devices are considered\napproved to be connected to the Agency\xe2\x80\x99s network as long as they are procured through an\nSSA-sanctioned requisition process. 44 However, SSA has no approval process ensuring\nhardware devices are adequately secured after purchase. According to FISMA, Federal agencies\nare required to provide information security to reduce the risk of unauthorized access. 45 Also,\nFederal guidelines 46 state agencies should include in their inventories, information deemed\nnecessary by the organization to achieve effective property accountability; this can include\nsystem owner. 47 More specifically, FISMA reporting requirements state that a hardware device\nis approved when it is assigned to a particular person or group at a low enough level to ensure\neffective responsibility and security.\n\nFor 55 (34 percent) of 162 sampled hardware devices, we verified that SSA approved the\nhardware connected to its network. We found 82 (51 percent) of 162 sampled hardware devices\nwere not approved before they were connected to the Agency\xe2\x80\x99s network. 48 For 25 (15 percent)\nof 162 sampled hardware devices, 49 there was not enough information to determine whether the\ndevices were approved (see Table 4). There was not enough information because SSA\xe2\x80\x99s\nprocesses to identify a system owner were inconsistent and undocumented.\n\n\n\n\n41\n     SSA, Office of Information Security, Division of Technical Operations.\n42\n     See Appendix A for sampling methodology.\n43\n     SSA, ISSH Version 2.7, April 2013 \xc2\xa7 11.3.1.\n44\n     SSA\xe2\x80\x99s procurement process does not ensure the device is secure.\n45\n     Pub. L. No. 107-347, Title III, Section 301, 3544(a)(2)(A) \xe2\x80\x93 (C), 44 U.S.C. \xc2\xa73544(a)(2)(A) \xe2\x80\x93 (C).\n46\n     NIST SP 800-53 Revision 3, August 2009, p. F-44, CM-8(a).\n47\n     An individual or organizational unit responsible for the operation and maintenance of hardware device.\n48\n     This represents sampled hardware devices where SSA could not provide acquisition documentation.\n49\n     Twenty-two of these were part of the unknown hardware category.\n\n\n\nSSA\xe2\x80\x99s Process to Identify and Monitor the Security of Hardware Devices (A-14-13-13050)                        7\n\x0c                                    Table 4 \xe2\x80\x93Approving Hardware Devices\n                                                                                       Percent of Total\n                                                          Number of Sampled           Sampled Hardware\n                            State                         Hardware Devices                 Devices\n        Approved to be Connected                                    55                            34\n        Not approved to be Connected                                82                            51\n        Not Enough Information Available                            25                            15\n                       TOTAL                                       162                           100\n\nIt is essential to ensure hardware devices operate as intended. SSA cannot achieve this without\nproper policies and procedures to ensure hardware devices are approved prior to installation.\nSSA stated it has layers of security controls in place to reduce the probability of threat.\nHowever, a key goal of managing hardware is to identify and remove unmanaged hardware\ndevices before they can be exploited and used to attack other assets. 50 In July 2013, after\ncompletion of our fieldwork, SSA implemented a revised policy 51 for managing hardware,\nsoftware, and platform configuration. We reviewed the revised policy and believe it begins to\naddress our concerns but is still vague on who manages all of the hardware devices. We believe\nSSA should revise its policy to document who or which Agency component manages each\nhardware device connected to its network and is responsible for adequately securing the device.\n\nMonitoring Process Inconsistent with Policy\nThe Agency had processes for monitoring 52 most hardware devices connected to its network to\nensure they operate at a reasonable system security level. However, the processes were\ninconsistent with policy in effect during our audit period. Further, SSA did not have processes to\nmonitor input/output peripherals, appliances, or uninterruptable power supplies \xe2\x80\x93 about 6 percent\nof the hardware devices connected to its network. We found that groups in SSA\xe2\x80\x99s Headquarters\nmonitored 59 of 162 sampled hardware devices. 53 We found that SSA local managers (outside\nthe Office of Systems) were responsible for monitoring 9 of the 162 sampled hardware devices.\nHowever, managers we interviewed did not understand they were responsible for monitoring the\nsampled devices, so they did not monitor security in compliance with SSA\xe2\x80\x99s ISSH. 54 There was\n\n\n\n\n50\n  DHS, Supra, note 18, p. 17, \xe2\x80\x9c. . . an underlying assumption is that if hardware devices are unmanaged, they are\nprobably vulnerable, and will be exploited if not removed or approved quickly.\xe2\x80\x9d\n51\n     SSA, ISSH Version 3.1, July 2013 \xc2\xa7 11.5.\n52\n  There are many types of monitoring for hardware devices. Monitoring in the context of this review means to\nensure that the hardware device is at a reasonable system security level.\n53\n     Includes desktops, network devices, and Server/iSeries.\n54\n     SSA, ISSH Version 2.7, April 2013, Chapter 11 \xc2\xa7 11.3.4.\n\n\n\nSSA\xe2\x80\x99s Process to Identify and Monitor the Security of Hardware Devices (A-14-13-13050)                              8\n\x0cnot enough information to determine whether SSA monitored the remaining 94 sampled\ndevices 55 (see Table 5).\n\n                                     Table 5 \xe2\x80\x93 Monitoring Hardware Devices\n                                                                                         Percent of Total\n                                                         Number of Sampled              Sampled Hardware\n                             State                       Hardware Devices                    Devices\n        Centrally Monitored                                           59                            36\n        Locally Assigned                                               9                             6\n        Not Enough Information Available                              94                            58\n                        TOTAL                                        162                           100\n\nWe determined that, of the 59 centrally monitored hardware devices, 55 were at a reasonable\nsystem security level. However, SSA did not have sufficient information to make a\ndetermination on the remaining four hardware devices. For the nine sampled hardware devices\nassigned to local managers, four were not at a reasonable system security level and five did not\nhave enough information for us to make a determination. For the remaining 94 hardware\ndevices, we could not verify whether those devices were at a reasonable system security level. 56\n\nSSA\xe2\x80\x99s ISSH states that local managers are responsible for monitoring the use of approved\nnon-standard hardware. 57 Moreover, SSA\xe2\x80\x99s ISSH 58 states local managers are responsible for\nsecuring SSA-owned hardware. However, local staff we interviewed stated Headquarters or the\nregional offices were responsible for monitoring hardware devices for reasonable system security\nlevels. Within the Office of Systems, the Office of Information Security develops and maintains\ninformation security policies, standards, and procedures. The Office of Information Security\nalso manages the reporting and monitoring processes that ensure compliance with Government\npolicies. Additionally, the Office of Telecommunications and Systems Operations provides the\ntelecommunications infrastructure and network security and policies. SSA\xe2\x80\x99s policies, in effect at\nthe time of our audit, are not clear on who is responsible for monitoring the hardware devices to\nensure they operate at a reasonable security level. In July 2013, after completion of our\nfieldwork, SSA revised its policy, but the policy does not define roles and responsibilities for\nmonitoring the security of hardware devices.\n\n\n\n55\n  For 50 sampled hardware devices (TSRP telephones), SSA did not monitor these hardware devices for security\ncompliance, but stated that a TSRP telephone must meet the established security configuration before it can connect\nto the network. SSA did not provide documentation to support that it installed the phones at a reasonable security\nlevel. SSA could not locate 2 hardware devices, identify the owner of 21 hardware devices, and provide\ndocumentation for 24 hardware devices.\n56\n  For 23 hardware devices, we could not locate the device to identify its system security level. For 71 of the\nhardware devices, the Agency was unable to provide documentation showing the system security level.\n57\n  SSA, ISSH Version 2.7, April 2013, Chapter 11 \xc2\xa7 11.3.4.a. Per SSA, non-standard hardware is purchased by\nlocal offices.\n58\n     Id., Chapter 11 \xc2\xa7 11.3.4.f.\n\n\n\nSSA\xe2\x80\x99s Process to Identify and Monitor the Security of Hardware Devices (A-14-13-13050)                            9\n\x0cFederal guidelines 59 recommend that the Agency group that monitors security should define\nwhich hardware devices and operating systems they support and clearly communicate this\ninformation to those who manage technical aspects \xe2\x80\x93 for SSA, this includes local managers.\nAdditionally, local support staff \xe2\x80\x9c. . . should be taught how to independently monitor and\nremediate unsupported hardware equipment, operating systems, and software applications.\xe2\x80\x9d 60\n\nWe believe the Agency should resolve the inconsistencies among its policies and procedures for\nmonitoring hardware devices. Additionally, SSA should revise its policy to better describe and\ndefine roles and responsibilities for monitoring security levels for all hardware devices. Finally,\nSSA should ensure the hardware devices identified in this audit are at a reasonable security level.\n\nCONCLUSIONS\nAccording to DHS, cyber security is constantly shifting because of the relentless and dynamic\nthreat environment, emerging technologies, and new vulnerabilities. 61 Therefore, Federal\nagencies must remain vigilant to defend information systems, especially in a resource-\nconstrained environment, balancing system security with operational capability.\n\nWhile the Agency has a process to identify hardware devices connected to its network, we\ndetermined the Agency\xe2\x80\x99s inventory was incomplete and inaccurate. Additionally, SSA did not\napprove all of the hardware devices connected to its network. Moreover, although SSA has\nprocesses to monitor the security level of connected devices, these processes were inconsistent\nwith Agency policy in effect at the time of our audit.\n\nRECOMMENDATIONS\nWe recommend the Agency:\n\n1. Pursue implementing systems, through a risk-based process, to ensure only approved and\n   security-compliant hardware devices are connected to its network.\n\n2. Revise its policy to document who or which Agency component manages each hardware\n   device connected to its network and is responsible for adequately securing these devices.\n   The policy should better describe and define roles and responsibilities for monitoring security\n   levels for all hardware devices.\n\n3. Ensure hardware devices identified in this audit are at a reasonable security level.\n\n\n\n\n59\n  NIST SP 800-40 Version 2.0, Creating a Patch and Vulnerability Management Program, November 2005, p. 2-6,\n2.2.3.1.\n60\n     Id.\n61\n     DHS, Supra, note 18, p. 4.\n\n\n\nSSA\xe2\x80\x99s Process to Identify and Monitor the Security of Hardware Devices (A-14-13-13050)                   10\n\x0cAGENCY COMMENTS\nSSA agreed with our recommendations. See Appendix D for the full text of the Agency\xe2\x80\x99s\ncomments. In addition to the formal comments, SSA provided a technical comment, which has\nbeen addressed, where appropriate, in this report.\n\n\n\n\nSSA\xe2\x80\x99s Process to Identify and Monitor the Security of Hardware Devices (A-14-13-13050)   11\n\x0c                                        APPENDICES\n\n\n\n\nSSA\xe2\x80\x99s Process to Identify and Monitor the Security of Hardware Devices (A-14-13-13050)\n\x0cAppendix A \xe2\x80\x93 SCOPE AND METHODOLOGY\nTo accomplish the audit objective, we:\n\n\xe2\x80\xa2   Reviewed applicable Federal laws, regulations, guidelines, and standards as well as Social\n    Security Administration (SSA) policies and procedures.\n\xe2\x80\xa2   Reviewed Federal Information Security Management Act of 2002 (FISMA) reporting\n    requirements, and SSA\xe2\x80\x99s Chief Information Officer section of the 2012 annual FISMA\n    report.\n\xe2\x80\xa2   Reviewed prior Office of the Inspector General reports.\n\xe2\x80\xa2   Obtained a list of the 325,981 hardware devices connected to SSA\xe2\x80\x99s network as of\n    January 2013 and categorized them by operating system for sampling (see Table 2).\n\xe2\x80\xa2   Selected a random sample of 183 hardware devices (see Hardware Device Sample section\n    below).\n\xe2\x80\xa2   Attempted to determine the system owner and location of the sampled hardware devices and\n    device details (computer network address, machine name, unique hardware number) using\n    the following SSA developed tools IP Address to Switch Port, IP Address Mapping Tool,\n    OTSO Networking Database and PinView; and SSA\xe2\x80\x99s implementation of Microsoft System\n    Center Configuration Manager 2007.\n\xe2\x80\xa2   Attempted to determine the actual type of hardware device for the \xe2\x80\x9cunknown\xe2\x80\x9d samples.\n\xe2\x80\xa2   Interviewed system owners of the sampled hardware devices and obtained screen shots and\n    procurement documentation.\n\xe2\x80\xa2   Analyzed data obtained.\n\xe2\x80\xa2   Compared the operating system version and release level to the most recent versions and\n    releases supported by the manufacturer; we did not look at the specific system configuration\n    of the hardware.\n\nWe obtained a sufficient understanding of information systems controls as they related to this\nreview. We assessed the completeness, accuracy, and validity of the data from the scanning\ntools. We determined the data from SSA\xe2\x80\x99s network scanning tool were sufficient to enumerate\nhardware devices.\n\nWe conducted our audit from November 2012 through April 2013 in Baltimore, Maryland. The\nentities reviewed were the Offices of Budget, Finance and Management; Disability Adjudication\nand Review; Operations; and Systems. We conducted this performance audit in accordance with\ngenerally accepted government auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objectives. We believe the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit objectives.\n\n\n\n\nSSA\xe2\x80\x99s Process to Identify and Monitor the Security of Hardware Devices (A-14-13-13050)           A-1\n\x0cHardware Device Sample\nIn its FY 2012 FISMA report, 1 the Agency identified 276,165 hardware devices 2 connected to its\nnetwork. We obtained a more recent list and sorted the devices into 14 categories (see Table 2).\n\nBased on the ZIP code provided by the Agency, we identified hardware devices within a 50-mile\nradius of an audit office; this was approximately 39 percent of the total population. Because of\nlimited budget resources, we decided Office of Audit staff could conduct the interviews and\non-site inspections within a 50-mile radius of their office. However, during our review, we\ndecided to conduct telephone interviews of local staff to save additional monies. From the list of\nhardware devices within a 50-mile radius of an audit office, we randomly selected 50 items each\nfrom the Desktop and Input/Output peripheral categories (100 sample items), since they were the\n2 categories that comprised 50 percent of the total population. We randomly selected\n50 unknown hardware devices. We also randomly selected 3 items from the remaining\n11 categories (33 sample items). The total sample size was 183.\n\nWe attempted to identify a system owner 3 for each of the sampled hardware devices from the\nnetwork address 4 provided by the Agency\xe2\x80\x99s network scanning tool. The Agency did not have a\ntool to identify a system owner based on the network address of a device. Instead, SSA\nidentified tools to assist us in our research but stated the tools were not designed for this\nfunction. As we conducted our review, we removed nine sampled hardware devices from our\npopulation because the devices moved on the network. For these sampled hardware devices, we\nwere unable to determine whether the hardware device was the same hardware device identified\nduring the original network scan results received from SSA. As a result, our sample size\ndecreased from 183 to 174.\n\nBecause SSA\xe2\x80\x99s scanning tool incorrectly identified some Input/Output peripherals, we\nreclassified those devices based on what the devices actually were\xe2\x80\x94 Telephone System\nReplacement Project (TSRP) equipment (see Table 2). Consequently, the percentage of\nhardware devices categorized as Input/Output Peripherals and TSRP telephone categories\nchanged. TSRP telephone was now the second largest hardware category (originally it was\nfourth), and Input/Output Peripherals were fourth (originally second)\xe2\x80\x94effectively the categories\nswitched places. In this instance, the misidentification of hardware equipment is a lower risk to\nthe Agency, since SSA monitors TSRP telephones but does not monitor Input/Output\nPeripherals. Because of this adjustment for percent of total in 2 hardware categories, we\nchanged our sample; reducing it to 177 hardware devices.\n\n\n\n\n1\n    SSA, Chief Information Officer Section Report, 2012 Annual FISMA Report.\n2\n The FY 2012 FISMA population and the most recent inventory difference may be due to purchases and retirement\nas well as devices and networks that are off, not operational, or disconnected from the network.\n3\n    Person responsible for the operation and maintenance of the hardware device.\n4\n    A unique way to identify the location of a hardware device on a network.\n\n\n\nSSA\xe2\x80\x99s Process to Identify and Monitor the Security of Hardware Devices (A-14-13-13050)                    A-2\n\x0cAdditionally we found some hardware devices were removed from the network. Therefore, we\naltered our sample size from 183 to 162 hardware devices as shown in Table A-1 below.\n\n                                       Table A\xe2\x80\x931: Sample Size Changes\n                          Reason for Change                                 Added        Removed          Sample\n                                                                                                           Size\n    Starting Sample Size                                                                                      183\n    Hardware Devices Moved on the Network                                                     9               173\n    Incorrectly Identified Input/Output Devices                                              37               137\n    Extra Input/Output Peripheral Samples                                                     7               130\n    Extra Telephone System Replacement Project Samples                                        3               127\n    New Telephone System Replacement Project Samples 5                        50                              177\n    Devices No Longer Connected to the Network                                               15               162\n                        Ending Sample Size                                                                    162\n\n\n\n\n5\n    Since they were one of the two hardware categories that now made up 50 percent of the total population.\n\n\n\nSSA\xe2\x80\x99s Process to Identify and Monitor the Security of Hardware Devices (A-14-13-13050)                              A-3\n\x0cAppendix B \xe2\x80\x93 MISSING DEVICE IDENTIFIERS\nThe following table details the hardware categories and the missing identifying information\n(machine name, serial number, unique hardware number). 1 Knowing all identifying information\nhelps the Agency rapidly find the specific security control for hardware equipment that has been\ncompromised or breached or is in need of mitigation. Additionally, it can aid in determining\nlocation of, and person responsible for, the hardware equipment.\n\n\n\n\n                                                                                                                                                                 Virtual Machine\n\n                                                                                                                                                                                   Server (iSeries)\n                                                                                                                                                Storage Device\n                                                              Multi-Platform\n                                             I/O Peripheral\n\n\n\n\n                                                                                              Video Device\n\n\n\n                                                                                                                       TSRP Phone\n\n                                                                                                                                    Appliance\n                                                                                                             Unknown\n                                   Desktop\n\n\n\n\n                                                                               Server\n\n\n\n\n                                                                                                                                                                                                      Total\n                                                                                        UPS\n           Missing\n         Information\n     Machine Name Only                                        2                1                             13                     1           3                                                     20\n     Serial Number Only                                                                                       9                                                                                        9\n     Unique Hardware                                                                                          6        2                                                           2                  10\n     Number and Serial\n     Number\n     Machine Name,                 1                          1                               1              6                                                                                        9\n     Unique Hardware\n     Number, and Serial\n     Number\n           TOTAL                   1                          3                1              1              34        2            1           3                                  2                  48\n\n\n\n\n1\n    The machine name is the name assigned to a hardware device connected to the network.\n\n\n\nSSA\xe2\x80\x99s Process to Identify and Monitor the Security of Hardware Devices (A-14-13-13050)                                                                                                                B-1\n\x0cAppendix C \xe2\x80\x93 GLOSSARY OF TERMS\nThis section provides a glossary of terms used within this report. While these terms may have\nbroader definitions, we defined them as we used them in the context of this review.\n\nAdequate Security/Adequately Secure \xe2\x80\x93 security commensurate with the risk and magnitude of\nthe harm resulting from the loss, misuse, or unauthorized access to or modification of\ninformation, assuring that systems operate effectively and provide appropriate confidentiality,\nintegrity, and availability. 1\n\nAppliance \xe2\x80\x93 see Hardware Category.\n\nApproved to be Connected \xe2\x80\x93 any item procured through an SSA-sanctioned requisition process.\n\nAsset Management \xe2\x80\x93activities across the enterprise related to items that have value (to include,\nbut not limited to, information technology systems, hardware, software, and networks).\n\nAutomated capability \xe2\x80\x93 product or report is generated by a computer. 2\n\nContinuous Monitoring \xe2\x80\x93 a technique to address the security impacts on an information system\nresulting from changes to the hardware, software, firmware, or operational environment. 3\n\nCyber-Attack \xe2\x80\x93 an attempt to disrupt, disable, destroy, or maliciously control a computer\nenvironment; or destroy the integrity of or steal the data on a computer network or system.\n\nCyber Security \xe2\x80\x93 measures taken to protect a computer or computer system against\nunauthorized access or cyber-attack.\n\nDesktop \xe2\x80\x93 see Hardware Category.\n\nDigital Copiers \xe2\x80\x93 device that uses optical technology to scan documents, store the image, and\nthen print the stored image.\n\nHardware Category \xe2\x80\x93 groups used to classify SSA\xe2\x80\x99s hardware devices.\n\n\n\n\n1\n Office of Management and Budget Circular No. A-130, Appendix III, Security of Federal Automated Information\nResources, A.2.a\n2\n Department of Homeland Security, FY 2012 Chief Information Officer Federal Information Security Management\nAct Reporting Metrics, p. 19.\n3\n National Institute of Standards and Technology SP 800-37 Revision 1, Guide for Applying the Risk Management\nFramework to Federal Information Systems, February 2010, page G-1.\n\n\n\nSSA\xe2\x80\x99s Process to Identify and Monitor the Security of Hardware Devices (A-14-13-13050)                     C-1\n\x0c        Appliance \xe2\x80\x93 hardware designed for a specific information technology function in a\n        closed architecture that may contain an operating system, storage, and specific\n        applications; they may be external to a hardware device or internal (embedded devices).\n\n        Desktop \xe2\x80\x93a type of computer used in a stationary location.\n\n        Input/Output Peripheral \xe2\x80\x93 device assigned a network address that inputs or outputs\n        data.\n\n        Multi-Platform \xe2\x80\x93 devices whose operating system could run on hardware devices falling\n        into more than one hardware category on SSA\xe2\x80\x99s network.\n\n        Network Devices \xe2\x80\x93 includes routers, switches, load balancers, and firewalls.\n\n        Private Branch Exchange \xe2\x80\x93 an in-house telephone switching system hat interconnects\n        telephone extensions.\n\n        Server \xe2\x80\x93 computer on a network that manages access to a centralized resource or services\n        in a network.\n\n        Server/iSeries \xe2\x80\x93 is IBM's (AS/400) midrange server.\n\n        Storage Device \xe2\x80\x93 hardware devices capable of holding information and includes disk\n        storage, tape drives and tape libraries.\n\n        TSRP Phone \xe2\x80\x93 telephones deployed in SSA\xe2\x80\x99s implementation to transport voice traffic\n        over its network.\n\n        Uninterruptable Power Supply \xe2\x80\x93 device that provides backup power when the electrical\n        power fails or drops to an unacceptable voltage level.\n\n        [Unknown] \xe2\x80\x93 devices for which the operating system could not be determined when\n        scanned to identify the population of devices connected to the Agency\xe2\x80\x99s network.\n\n        Video Devices \xe2\x80\x93 includes video equipment for the audio-video conferencing as well as\n        the cameras used for security.\n\n        Virtual Machine \xe2\x80\x93 software that emulates a physical computing environment.\n\nHardware Device \xe2\x80\x93 includes any machine assigned a network address and connected to the\nAgency\xe2\x80\x99s network.\n\nInput/Output Peripheral \xe2\x80\x93 see Hardware Category.\n\nMachine Name \xe2\x80\x93 the name assigned to a hardware device connected to the network.\n\nMulti-Platform \xe2\x80\x93 see Hardware Category.\n\n\n\nSSA\xe2\x80\x99s Process to Identify and Monitor the Security of Hardware Devices (A-14-13-13050)       C-2\n\x0cNetwork Address \xe2\x80\x93 unique way to identify the location of a hardware device on a network.\n\nNetwork Devices \xe2\x80\x93 see Hardware Category.\n\nNetwork Scanning Tool \xe2\x80\x93 application that examines the network systematically to obtain data\nabout connected hardware devices.\n\nOperating System \xe2\x80\x93 software that controls the processes of a hardware device.\n\nSanctioned Requisition Process \xe2\x80\x93 term used within SSA\xe2\x80\x99s Information Systems Security\nHandbook to describe how SSA procures hardware devices.\n\nSecurity Controls \xe2\x80\x93 safeguards and countermeasures prescribed for IT systems designed to\nprotect the confidentiality, integrity, and availability of information processed, stored, and\ntransmitted by those IT systems.\n\nServer \xe2\x80\x93 see Hardware Category.\n\nServer/iSeries \xe2\x80\x93 see Hardware Category.\n\nStorage Device \xe2\x80\x93 see Hardware Category.\n\nSwitch \xe2\x80\x93 a device that channels data and determines its intended hardware destination.\n\nSystem Monitoring \xe2\x80\x93 collection and display of real-time performance data for a local computer\nor remote computers according to defined criteria.\n\nSystem Owner \xe2\x80\x93 the individual or organizational unit responsible for the operation and\nmaintenance of the hardware device.\n\nSystem Security Level \xe2\x80\x93 operating system version and release supported by manufacturer.\n\nThreat environment \xe2\x80\x93 the circumstances, objects, or conditions by which surround the potential\nfor a threat-source to exercise (accidentally trigger or intentionally exploit) a specific\nvulnerability.\n\nUninterruptable Power Supply \xe2\x80\x93 see Hardware Category.\n\nUnknown Hardware Devices \xe2\x80\x93 see Hardware Category.\n\nUnmanaged Devices \xe2\x80\x93 devices not assigned to a particular person or group at such a level as to\neffectively assign responsibility.\n\nVideo Devices \xe2\x80\x93 see Hardware Category.\n\nVirtual Machine \xe2\x80\x93 see Hardware Category.\n\n\n\n\nSSA\xe2\x80\x99s Process to Identify and Monitor the Security of Hardware Devices (A-14-13-13050)           C-3\n\x0c           Appendix D \xe2\x80\x93 AGENCY COMMENTS\n\n\n\n\n                                             SOCIAL SECURITY\n\nMEMORANDUM\n\n\nDate:      September 13, 2013                                                                       Refer To:   S1J-3\n\nTo:        Patrick P. O\xe2\x80\x99Carroll, Jr.\n           Inspector General\n\nFrom:      Katherine Thornton /s/\n           Deputy Chief of Staff\n\nSubject:   Office of the Inspector General Draft Report, \xe2\x80\x9cThe Social Security Administration\xe2\x80\x99s Process to\n           Identify and Monitor the Security of Hardware Devices Connected to its Network\xe2\x80\x9d\n           (A-14-13-13050)--INFORMATION\n\n           Thank you for the opportunity to review the draft report. Please see our attached comments.\n\n           Please let me know if we can be of further assistance. You may direct staff inquiries to\n           Gary S. Hatcher at (410) 965-0680.\n\n           Attachment\n\n\n\n\n           SSA\xe2\x80\x99s Process to Identify and Monitor the Security of Hardware Devices (A-14-13-13050)                   D-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL DRAFT REPORT,\n\xe2\x80\x9cTHE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S PROCESS TO IDENTIFY AND\nMONITOR THE SECURITY OF HARDWARE DEVICES CONNECTED TO ITS\nNETWORK\xe2\x80\x9d (A-14-13-13050)\n\nRecommendation 1\n\nPursue implementing systems, through a risk-based process, to ensure only approved and\nsecurity-compliant hardware devices are connected to its network.\n\nResponse\n\nWe agree. We will continue our efforts to pursue, procure, and implement solutions to ensure\nthe identification of connected devices on our network. We have implemented the foundational\nsteps in enumerating all connected devices to identify if they are authorized or unauthorized.\nWith our recently implemented Hardware, Software, and Platform Configuration Policy, we\nprovide clear guidance for security compliance, requiring users to select from an authorized list\nof hardware, software, and platforms that follow security configuration guidelines. Our new\npolicy was a prerequisite for any additional enhancement in ensuring only security compliant\ndevices are connected.\n\nRecommendation 2\n\nRevise its policy to document who or which Agency component manages each hardware device\nconnected to its network and is responsible for adequately securing the device. The policy\nshould better describe and define roles and responsibilities for monitoring security levels for all\nhardware devices.\n\nResponse\n\nWe agree. On July 19, 2013, we published a revised Information Systems Security Handbook,\ncombining Chapter 11, \xe2\x80\x9cHardware, Software, and Platform Configuration Policy\xe2\x80\x9d with Chapter\n17, \xe2\x80\x9cRemovable Media and Protection from Data Loss.\xe2\x80\x9d However, the revised policy clearly\naddresses the issues of hardware security levels by using and relying on agency standard\nconfigurations and states the expectations and responsibilities of the Information Technology\n(IT) Security Staff, local managers and system owners for these as well as for any approved\nexceptions.\n\nRecommendation 3\n\nEnsure hardware devices identified in this audit are at a reasonable security level.\n\n\n\n\nSSA\xe2\x80\x99s Process to Identify and Monitor the Security of Hardware Devices (A-14-13-13050)           D-2\n\x0cResponse\n\nWe agree. We have implemented an effective penetration-testing program to complement the\nexisting processes for identifying vulnerabilities. The penetration-testing program assists in\nidentifying security gaps that may still exist in the overall IT security program, defining areas of\nnecessary improvements. We are confident the penetration-testing program will assist us in\nidentifying vulnerabilities and reducing the risks to our IT systems.\n\n\n\n\nSSA\xe2\x80\x99s Process to Identify and Monitor the Security of Hardware Devices (A-14-13-13050)           D-3\n\x0cAppendix E \xe2\x80\x93 MAJOR CONTRIBUTORS\nBrian Karpe, Director, Information Technology Audit Division\n\nMary Ellen Moyer, Audit Manager, Information Technology Audit Division\n\nJan Kowalewski, Auditor in Charge\n\nCheryl Dailey, Auditor\n\n\n\n\nSSA\xe2\x80\x99s Process to Identify and Monitor the Security of Hardware Devices (A-14-13-13050)   E-1\n\x0c                                           MISSION\nBy conducting independent and objective audits, evaluations, and investigations, the Office of\nthe Inspector General (OIG) inspires public confidence in the integrity and security of the Social\nSecurity Administration\xe2\x80\x99s (SSA) programs and operations and protects them against fraud,\nwaste, and abuse. We provide timely, useful, and reliable information and advice to\nAdministration officials, Congress, and the public.\n\n\n                                   CONNECT WITH US\nThe OIG Website (http://oig.ssa.gov/) gives you access to a wealth of information about OIG.\nOn our Website, you can report fraud as well as find the following.\n   \xe2\x80\xa2   OIG news                                  In addition, we provide these avenues of\n   \xe2\x80\xa2   audit reports\n                                                 communication through our social media\n                                                 channels.\n   \xe2\x80\xa2   investigative summaries\n   \xe2\x80\xa2   Semiannual Reports to Congress                Watch us on YouTube\n   \xe2\x80\xa2   fraud advisories                              Like us on Facebook\n   \xe2\x80\xa2   press releases\n                                                     Follow us on Twitter\n   \xe2\x80\xa2   congressional testimony\n   \xe2\x80\xa2   an interactive blog, \xe2\x80\x9cBeyond The              Subscribe to our RSS feeds or email updates\n       Numbers\xe2\x80\x9d where we welcome your\n       comments\n\n\n                          OBTAIN COPIES OF AUDIT REPORTS\nTo obtain copies of our reports, visit our Website at http://oig.ssa.gov/audits-and-\ninvestigations/audit-reports/all. For notification of newly released reports, sign up for e-updates\nat http://oig.ssa.gov/e-updates.\n\n\n                          REPORT FRAUD, WASTE, AND ABUSE\nTo report fraud, waste, and abuse, contact the Office of the Inspector General via\n   Website:        http://oig.ssa.gov/report-fraud-waste-or-abuse\n   Mail:           Social Security Fraud Hotline\n                   P.O. Box 17785\n                   Baltimore, Maryland 21235\n   FAX:            410-597-0118\n   Telephone:      1-800-269-0271 from 10:00 a.m. to 4:00 p.m. Eastern Standard Time\n   TTY:            1-866-501-2101 for the deaf or hard of hearing\n\x0c"